Remove iam:PassRole permission from Task handler (#26)

geedo0 · web-flow · commit 396a054ac7ff · 2020-12-31T14:06:04.000-05:00
This is not necessary for creating tasks.
diff --git a/aws-datasync-task/aws-datasync-task.json b/aws-datasync-task/aws-datasync-task.json
@@ -320,8 +320,7 @@
         "elasticfilesystem:DescribeFileSystems",
         "elasticfilesystem:DescribeMountTargets",
         "logs:DescribeLogGroups",
-        "iam:GetRole",
-        "iam:PassRole"
+        "iam:GetRole"
       ]
     },
     "read": {
@@ -349,8 +348,7 @@
         "fsx:DescribeFileSystems",
         "elasticfilesystem:DescribeFileSystems",
         "elasticfilesystem:DescribeMountTargets",
-        "iam:GetRole",
-        "iam:PassRole"
+        "iam:GetRole"
       ]
     },
     "list": {
diff --git a/aws-datasync-task/resource-role.yaml b/aws-datasync-task/resource-role.yaml
@@ -41,7 +41,6 @@ Resources:
                 - "elasticfilesystem:DescribeMountTargets"
                 - "fsx:DescribeFileSystems"
                 - "iam:GetRole"
-                - "iam:PassRole"
                 - "logs:DescribeLogGroups"
                 - "s3:ListAllMyBuckets"
                 - "s3:ListBucket"
